Things have been very quiet about the progress of the Bitfrost
security implementation. Due to a very complex chain of
implementation dependencies, we've had to wait until recently to be
able to kick the security work into high gear. I'm happy to report
that this has now happened and things are moving along quickly.
11 days ago, we merged our FRS containerization solution into a
branch of our kernel tree:
http://dev.laptop.org/git.do?p=olpc-2.6;a=shortlog;h=vserver
This branch will get other development updates and is slated, barring
unforeseen problems, to become the build branch for Trial-2, meaning
the Trial-2 build will run a container-enabled kernel by default. A
few days ago, Mitch Bradley reported having successfully integrated
our BIOS cryptography code into Open Firmware, and he and I will be
spending part of the next week hammering out the details of this
integration.
On behalf of the security team, I am particularly pleased to announce
we've just reached a very important milestone: we have integrated
automatic containerization with Sugar on build 472 (based on Fedora
Core 7) through the Rainbow userspace security service, and with only
a trivial patch to Sugar (http://dev.laptop.org/~krstic/sugar-
rainbow.patch). Concretely, we have an XO in the office where
clicking an activity icon shows the activity as usual, but the
loading machinery in the background automatically launched the
activity in a container. No restrictions are yet imposed on the
containers -- that's where our work will turn now, as well as towards
working with the Sugar team to bring this functionality soon to a
Sugar near you. I hope to also announce working secure activation
(delivery chain protection) code soon.
Cheers,
--
Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | GPG: 0x147C722D